In order for a client application to communicate with the Web or application
server, you must validate the server’s self-signed certificate and install
it in the application’s trust store. The following procedure shows how:

To Validate and Install the Server’s Self-Signed
Certificate

Validate the server’s certificate.

By default,
the Sun Java System Application Server generates a self-signed certificate
and stores it in a key store file at the location

appServerRoot/glassfish/domains/domain1/config/keystore.jks

where appServerRoot is
the root directory in which the Application Server is installed.

Note –

If necessary, you can use the JDK Key Tool
utility to generate a key store of your own and use it in place of the default
key store. For more information, see the section “Establishing a Secure
Connection Using SSL” in Chapter 28, “Introduction
to Security in Java EE,” of the Java EE 5 Tutorial at

http://java.sun.com/javaee/5/docs/tutorial/doc/Security-Intro7.html

Make the directory containing the key store file your current
directory.

For example, to use the Application Server’s
default key store file (as shown above), navigate to its directory with the
command

cd appServerRoot/glassfish/domains/domain1/config

where appServerRoot is,
again, the root directory in which the Application Server is installed.

By default, the key store password is set to changeit;
you can use the Key Tool utility’s -storepasswd option
to change it to something more secure. After you have entered a valid password,
the Key Tool utility will respond with output like the following:

Obtain
the correct fingerprints for the Application Server’s self-signed certificate
by independent means (such as by telephone) and compare them with the fingerprints
displayed by the keytool -list command. Do not accept the certificate and install it in your application’s
trust store unless the fingerprints match.

Export the Application Server’s certificate to a certificate
file.

Use the Key Tool utility’s -export option
to export the certificate from the Application Server’s key store to
a separate certificate file, from which you can then import it into your application’s
trust store. For example, the following command exports the certificate shown
above, whose alias is slas, from the Application Server’s
default key store (keystore.jks) to a certificate file
named slas.cer:

If you
wish, you can double-check the contents of the certificate file to make sure
it contains the correct certificate:

List the contents of the certificate file.

The Key
Tool utility’s -printcert option lists the contents
of a specified certificate file. For example, the following command lists
the certificate file slas.cer that was created in the
preceding step:

keytool -printcert-file slas.cer -v

Once
again, the -v option tells the Key Tool utility to display
the certificate’s fingerprints in human-readable form. The resulting
output looks like the following:

Examine
the output from the keytool -printcert command
to make sure that the certificate is correct.

Import the certificate into your application’s trust store.

The Key Tool utility’s -import option installs
a certificate from a certificate file in a specified trust store. For example,
if your client application’s trust store is kept in the file /local/tmp/imqhttps/appKeyStore, the following command will install the certificate from the file slas.cer created above: